Troubleshoot VPN Site to Site between AWS and Azure

Hi,

May I know if it is a managed endpoints by AWS and Azure for the Site-to-Site VPN connection ? If so, please refer to this document [1] which might help configuring the right parameters for the setup and to validate the configuration.

Also, I would suggest enabling site-to-site VPN logs [2] which will help narrow down the issue. Please check for any asymmetric routing issues if you have built both the tunnels.

References:

[1] https://repost.aws/knowledge-center/vpn-azure-aws-bgp

[2] https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html#log-benefits

Hi, We followed this document: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/how-to-create-a-vpn-between-azure-and-aws-using-only-managed/ba-p/2281900

Here is how I would start looking at the VPN from the AWS Side [Assuming you can see the IPsec tunnel is up on your Console/CloudWatch Metrics]:

1. What is the gateway type associated with the VPN ( VGW or TGW or Cloud WAN ) ?
2. Is this VPN Static Route VPN or Dynamic Routed ?
3. Is the VPC CIDR on AWS Side different than VNET on Azure Side ?
4. If Static route VPN did you add the routes to Azure VPNET at the time of creation of the VPN ?
5. Under the VPN details do you see anything other than 0.0.0.0/0 in Local IPv4 Network CIDR and Remote IPv4 Network CIDR ?
6. If VPN is associated with VGW, check below: a. Is the VGW associated to a VPC ? b. Is the route in there a router in VPC route table for the Azure VNET with the next-hop as VGW ?
7. If VPN in associated with TGW, check below: a. Is VPN associated and propogated in the TGW route table? b. Is there a route to the VPC CIDR from the TGW ? c. Is there a route from VPC to the TGW for Azure VNET ?

You can use VPC reachability analyzer to pin point the component where the issue exists. You will need to validate the same things from Azure side as well. Let me know if the above helps, if you would need more detailed tshoot, feel free to open a support case